Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
0
Helpful
5
Replies

ASA 5510 with Static VLAN NAT

DavidReisner
Level 1
Level 1

‎03-10-2012 09:40 PM - edited ‎03-11-2019 03:40 PM

Hi friends,

I am saravanan from Utah. One of our customers has asked us to nat from the LAN to the Voice LAN based on destination IP address in order to access a public phone server thorugh a vendor mangaed voice router..

                                Internet for everything else

                                                   |

                                                   |

Inside ------------------------> ASA 5510 -----------------> Voice router  ------>  outsdie to public phone server only

10.10.1.0/20                         10.10.1.7/320               172.16.20.1/24

Voice------------------------->

172.16.20.0/24               172.16.20.254/24

Here the ASA5510 has an interface in both networks and the inside network can ping the voice network through the firewall by using nonat acls. The phone server can only talk to the 172.16.20.0/24 network. So I need to nat the 10.10.1.0/20 network to the Voice interface on the ASA 172.16.20.254/24.

So I think I need the follwoing static but I get the error below:

static (Inside,Voice) interface 10.10.0.0 netmask 255.255.240.0

WARNING: All traffic destined to the IP address of the Voice interface is being redirected.

WARNING: Users will not be able to access any service enabled on the Voice interface.

ERROR: Invalid netmask with interface option

Sanitized ASA Config

ASA Version 8.2(5)

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.10.1.7 255.255.252.0

!

interface Ethernet0/1.2

vlan 2

nameif Voice

security-level 100

ip address 172.16.20.254 255.255.255.0

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list nonat extended permit ip 10.10.0.0 255.255.240.0 172.16.20.0 255.255.255.0

access-list nonat extended permit ip 172.16.20.0 255.255.255.0 10.10.0.0 255.255.240.0

access-list Voice_in extended permit ip any any

access-list Voice_in extended permit icmp any any

access-list Voice_in extended permit gre any any

access-list Voice_in extended permit tcp any any

access-list Voice_in extended permit udp any any

access-list Inside_in extended permit ip any any

access-list Inside_in extended permit icmp any any

access-list Inside_in extended permit gre any any

access-list Inside_in extended permit tcp any any

access-list Inside_in extended permit udp any any

global (Outside) 10 interface

nat (Inside) 0 access-list nonat

nat (Inside) 10 10.10.0.0 255.255.240.0

nat (Voice) 0 access-list nonat

access-group Inside_in in interface Inside

access-group Voice_in in interface Voice

static(inside,Voice)10.10.0.0 255.255.240.0 172.16.20.0 255.255.255.0

route Inside XX.XX.XX.XX XXX.XXX.XXX.XXX 172.16.20.1 1

Any help would be appreaciated!

Thanks

Labels:
0 Helpful
5 Replies 5

zac192000
Level 1
Level 1

‎03-10-2012 10:19 PM

Static(inside,inside) 10.10.0.0 255.255.255.240 10.10.0.0 255.255.240.0

Static(voice,voice) 172.16.20.0 255.255.255.0 172.16.20.0 255.255.255.0

Sent from Cisco Technical Support iPad App

0 Helpful

DavidReisner
Level 1
Level 1
In response to zac192000

‎03-11-2012 05:21 PM

Zill,

Thanks for the quick reply. The only commands that the ASA will take similar to what you put are:

static (Inside,Inside) 10.10.0.0 10.10.0.0 netmask 255.255.240.0

static (Voice,Voice) 172.16.20.0 172.16.20.0 netmask 255.255.240.0

And after entering these it still doesn't work.

Also, since I have the no nat in there for these same networks, wouldn't the ASA get confused when I add those two statics?

0 Helpful

zac192000
Level 1
Level 1
In response to DavidReisner

‎03-11-2012 05:47 PM

No the statements that I send to you is for the traffic that is initiating from voice zone to voice zone and from inside zone to inside zone...

One thing you need to make sure....If your requirement is to NAT the traffic from inside to voice then you should not use nonat statments,because if NAT-Control is enabled then you have to NAT every traffic whether your source is from inside to inside or from voice to voice or from inside to voice or from voice to inside.

You are using nonat from inside to voice and from voice to inside and at the same time you are using static 1 to 1 mapping for both networks.As per rules,acl will be checked first and traffic will never be natted and static mappings will never come into play.

So you should remove your nonat statments.

Add the static statments that I mentioned you earlier ,remove the nonat statments and let me know .

Thanks

Sent from Cisco Technical Support iPad App

0 Helpful

zac192000
Level 1
Level 1
In response to zac192000

‎03-11-2012 05:48 PM

And use the correct subnet mask....I have written a different subnet mask in my first post and you ate using a different one....Just make sure....

Thanks

Sent from Cisco Technical Support iPad App

0 Helpful

DavidReisner
Level 1
Level 1
In response to zac192000

‎03-19-2012 09:44 AM

NAT-Control is not enabled

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card